Arrangement and method of privilege escalation detection in a computer or computer network
Abstract
An arrangement and a method of privilege escalation detection in a computer or computer network. The method comprises examining which executables are running in a target host; searching from a behavioral data source behavioral information of the executables running in the target host; including in a first list identification information of executables running in the target host which the behavioral information indicates are known to run with a first or a higher level privilege; including in a second list identification information of sensitive resources loaded or executed by the executables included in the first list; examining the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level; and providing an indication of every resource that is loaded by the first or higher level privilege executable but is writable by the executable running at a privilege level lower than the first level as a potential vulnerability.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1 . A method of privilege escalation detection in a computer or computer network, the method comprising:
examining which executables are running in a target host; searching from a behavioral data source behavioral information of the executables running in the target host; including, in a first list, identification information of executables running in the target host which the behavioral information indicates are run with a first- or a higher-level privilege; including, in a second list, identification information of sensitive resources loaded or executed by the executables included in the first list; examining the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level by examining resources existing in the target host, and comparing the examined resources with the sensitive resources in the second list to determine which ones of the resources existing in the target host may be vulnerable; and providing an indication of every resource that is loaded by the first- or higher-level privilege executable but is writable by the executable running at a privilege level lower than the first level as a potential vulnerability.
2 . The method according to claim 1 , wherein the sensitive resources include at least file paths and/or registry keys.
3 . The method according to claim 1 , further comprising:
including, in the first list, identification information of every executable file run by a high privileged executable, every dynamic link library loaded by a privileged executable, and every registry key value read and executed by a privileged executable.
4 . The method according to claim 2 , further comprising:
including, in the first list, identification information of every executable file run by a high privileged executable, every dynamic link library loaded by a privileged executable, and every registry key value read and executed by a privileged executable.
5 . The method according to claim 1 , wherein the method is performed by the target host.
6 . The method according to claim 5 , wherein the method is performed by a virtual machine or software emulator running on the target host.
7 . The method according to claim 1 , wherein the method is performed by a virtual machine or software emulator running on a server.
8 . The method according to claim 1 , wherein the behavioral data source comprises one or more of the following:
information collected by a backend from one or more target hosts on processes that are run with the first- or a higher-level privilege, and information collected by a local sensor or a computer on the target host on processes that are run in the target host with the first- or higher-level privilege.
9 . An arrangement for privilege escalation detection in a computer or computer network, the arrangement comprising:
at least one computer comprising circuitry configured to:
examine which executables are running in a target host,
search, from a behavioral data source, behavioral information of the executables running in the target host,
include, in a first list, identification information of executables running in the target host which the behavioral information indicates are known to run with a first- or a higher-level privilege,
include, in a second list, identification information of sensitive resources loaded or executed by the executables included in the first list,
examine the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level by examining resources existing in the target host, and comparing the examined resources with the sensitive resources in the second list to determine which ones of the resources existing in the target host may be vulnerable, and
provide an indication of every resource that is loaded by the first- or higher-level privilege executable but is writable by the executable running at a privilege level lower than the first level as a potential vulnerability.
10 . The arrangement according to claim 9 , wherein the at least one computer is further configured to:
include, in the first list, identification information of every executable file run by a high privileged executable, every dynamic link library loaded by a privileged executable, and every registry key value read and executed by a privileged executable.
11 . A non-transitory computer-readable medium comprising a computer program comprising instructions which, when executed by a computer, cause the computer to:
examine which executables are running in a target host; search, from a behavioral data source, behavioral information of the executables running in the target host; include, in a first list, identification information of executables running in the target host which the behavioral information indicates are known to run with a first- or a higher-level privilege; include, in a second list, identification information of sensitive resources loaded or executed by the executables included in the first list; examine the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level by examining resources existing in the target host, and comparing the examined resources with the sensitive resources in the second list to determine which ones of the resources existing in the target host may be vulnerable; and provide an indication of every resource that is loaded by the first- or higher-level privilege executable but is writable by the executable running at a privilege level lower than the first level as a potential vulnerability.
12 . An apparatus for privilege escalation detection in a computer or computer network, the apparatus comprising:
one or more processors configured to:
examine which executables are running in a target host,
search, from a behavioral data source, behavioral information of the executables running in the target host,
include, in a first list identification, information of executables running in the target host which the behavioral information indicates are known to run with a first- or a higher-level privilege,
include, in a second list identification, information of sensitive resources loaded or executed by the executables included in the first list,
examine the sensitive resources included in the second list to determine whether that resource is writable by an executable running at a privilege level lower than the first level by examining resources existing in the target host, and comparing the examined resources with the sensitive resources in the second list to determine which ones of the resources existing in the target host may be vulnerable, and
provide an indication of every resource that is loaded by the first- or higher-level privilege executable but is writable by the executable running at a privilege level lower than the level first as a potential vulnerability.
13 . The apparatus according to claim 12 , wherein the one or more processors is configured to include, in the first list, identification information of every executable file run by a high privileged executable, every dynamic link library loaded by a privileged executable, and every registry key value read and executed by a privileged executable.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.